如何调试 OpenSSL SSL_read：错误：14094410：SSL 例程：ssl3_read_bytes：sslv3 警报握手失败，errno 0

我们有一个在 docker 上运行客户端证书认证的 nginx 设置，我们只使用以下 ssl 设置：

ssl_protocols  TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;

当我们运行 curl 语句时，我们有以下输出：

$ curl -v --cacert ./cacert.pem https://staging-a.b.com/path
*   Trying xx.xx.xx.xx...
* TCP_NODELAY set
* Connected to staging-a.b.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.b.com
*  start date: Mar 23 07:17:12 2022 GMT
*  expire date: Mar 28 23:10:15 2023 GMT
*  subjectAltName: host "staging-a.b.com" matched cert's "*.b.com"
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify ok.
> GET /path HTTP/1.1
> Host: staging-a.b.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
* stopped the pause stream!
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0

我们已经在调试模式下运行 nginx；但是 curl 命令没有触发任何日志。可能出了什么问题？有人能帮忙吗？TIA！

更新 根据 @yield 的建议（在下面的评论中），我在容器内运行了该命令，并且成功了。我通过更新容器内的 etc 主机文件并添加 来完成此操作 127.0.0.1 staging-a.b.com，然后运行该命令。下面是输出：

root@a4cb891fed8a:/# curl -k -v --cacert ./cacert.pem https://staging-a.b.com:2443/obinet/services/itsp/signup/sslc/reqcode?sid=1234billNEWCERT
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to staging-a.b.com (127.0.0.1) port 2443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: ./cacert.pem
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.b.com
*  start date: Mar 23 07:17:12 2022 GMT
*  expire date: Mar 28 23:10:15 2023 GMT
*  issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /obinet/services/itsp/signup/sslc/reqcode?sid=1234billNEWCERT HTTP/1.1
> Host: staging-a.b.com:2443
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Wed, 10 Aug 2022 14:48:44 GMT
< Content-Type: application/octet-stream
< Content-Length: 0
< Connection: keep-alive
< Content-Type: text/plain
< X-DEBUG-SSLCLIENTVERIFY: NONE
< X-DEBUG-docroot: /usr/local/openresty/nginx/html
<
* Connection #0 to host staging-a.b.com left intact